Bypassing security pinning with Frida

I want to bypass SSL pinning in VeSync application for android (I'm programming API for humidifier and just decompiling the apk is not enough for me).

When i turn on SSL proxy, everything works (certificates, chrome, others apps, even other requests in this app) but the main API stops working, it's just say "oops, something went wrong, check connection".

What I did:

1. root my device, allow debug mode
2. adb shell getprop ro.product.cpu.abi=arm64-v8a
3. download frida-server-16.0.11-android-arm64.xz + unzip
4. download certificate from burp
5. adb push .\frida-server-16.0.11-android-arm64 /data/local/tmp/frida-server
6. adb shell "chmod 777 /data-local/tmp/frida-server"
7. adb shell "/data/local/tmp/frida-server &" (not sure what this is)
8. adb push .\burp /data/local/tmp/cert-der.crt
9. frida-ps -Ua
"22094 VeSync com.etekcity.vesyncplatform"
10. frida -U --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida com.etekcity.vesyncplatform

from here:

https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/

After a few errors which I fixed (missing libs etc.) cmd just shows:

1. "Spawning: com.etekcity.vesyncplatform"

• I think here it should display additional info, but it's just waiting (for something?)
• • I can't stop it, I can't write anything to cmd anymore

2. application will start on my phone
3. internet is still not working on the app

I also tried:

• patching / rebuilding with apktool & jarsigner
• changed network security XML to default
• change max required Android version to 6 in manifest
• decompile the apk and find the request in code

I'm using:

• Windows 11 + cmd
• adb from android studio SDK
• frida 16.0.11
• frida-tools 12.1.1
• Android 11 (Samsung Galaxy A12)
• proxy Burp / Charles

Successfully running bypass script:

App started but not working:

IMPORTANT: I didn't use this step

adb shell
su
cd data/local/tmp
./frida-server

When i run frida-server like this, "frida-ps -Ua" etc. stops working, it's just waits and ends with no response after a while. + phone starts rebooting in loop... so i basically use this instead and hoped it's the same thing

`adb shell "/data/local/tmp/frida-server &"`

Some certificate pinning implementations are hard to bypass after obfuscation because they don't have a name or something else you could use in a common script. Those cert pinning implementations can only be bypassed by manually decompiling the APK, finding the code that performs the pinning and then write a frida script to bypass it.

You can use for example Jadx-GUI to decompile the app if it has been written in Java/Kotlin. If the HTTPS connection is established by code within .so libraries or by a framework like Xamarin or ReactNative things are getting even more complicated.

Assuming it is a simple Java/Kotlin based app start with the error message shown in the screen shot. Where is it contained in the app, where is it loaded? What code execution paths lead to the point where this message is displayed?

If you follow that path hopefully you will find the networking code. Then check if there are methods accessing the HTTPS server certificate as this is the common way to implement a certificate pinning.